Ordinarily all cache tuning information are found in the Portal tuning guides below at the bottom of the page . The documentation usually contain the recommended cache sizes and lifetime as well as how/where to set. WSSECUREMAP is not one of them . There is the description but not how to set it even though it must be stated you probably may not need to tune this cache often
Here is how and where to tune it
WSSecureMap is the DynaCache used for Security Attribute Propagation. This cache should be created with DynaCache default size of 2000.
The DynaCache default could be changed but that would affect all caches created with the DynaCache default.
1. If you wish to change only the size of WSSecureMap, you can use following 2 custom properties:
com.ibm.ws.security.WSSecureMapSize=X (X = desired size - positive integer more than 100)
Note that the specified size is used ONLY if the ...InitAtStartup property is also configured and set to true.
To set the property from administrative console page,
Click Security > Global security > Custom properties
Click New to add new custom properties and associated values as mentioned.
2. The lifetime of entries cannot be configured. Entries in this cache remain valid until the Subject contained in the entry is no longer
valid. This is usually the LTPA timeout which defaults to 2 hours. If you have any problem ( Ex: WSSecureMap is not working as expected)
If you have any issues with this cache, Open a support pmr with the Security Mustgather http://www-01.ibm.com/support/docview.wss?uid=swg21470063
Portal Caches information [http://www-10.lotus.com/ldd/portalwiki.nsf/dx/WebSphere_Portal_caches_%28Tuning_Guide_6.1.x%29]
Portal 7 tuning guide [http://www-10.lotus.com/ldd/portalwiki.nsf/dx/WebSphere_Portal_Tun]
Many login performance issues turn out to be delays in resolving group membership. WebSphere Portal attempts to resolve group membership at each login. There are a few things a Portal administrator can do to make the process of resolving group membership as efficient as possible. Reducing the load on the LDAP is a bonus.
1. If your LDAP supports it, implement a membership attribute
. Set the scope as broadly as your LDAP supports. Hopefully, the LDAP's membership attribute lists all of a user's group memberships (direct, nested, and dynamic).
Note: Be sure that any groups returned by the membership attribute can be resolved within the realm defined in VMM. Failures will occur if the membership attribute returns a group DN that VMM cannot look up.
2. Unless your application requires them, avoid using dynamic groups since resolving their membership exacts a high cost. If you need dynamic groups in your application, consider keeping them locally with this alternative
4. Configure a federated repository so that VMM resolves group membership during the WAS login process. Then configure Portal to reuse WAS group information
(user management only, to maximize performance).
Note: You can reuse WAS group information even in a standalone LDAP configuration - I just like the VMM functionality for resolving group membership better.
There are some additional tweaks you can make with PAC caches, VMM caches, and context pooling, but these four items should help a great deal in resolving any performance delays in resolving group membership during Portal login.
A frequent question asked is "WebSphere Portal ships with a lot of applications. But, I don't need all of those applications. Each of the applications takes time to start when the Portal server starts, and, consumes memory/CPU during runtime. How do I know which applications are required for the Portal server to function, and which are optional and can be safely disabled?".
For Portal 6.1.x, please see the following Technote: "How to disable unused applications in WebSphere Portal V6.1.x"
As many of you are aware, Quickr 8.5 has the option to install DB2 along with server itself. Unfortunately if the /home directory is not local errors may appear after DB2 is being installed. They indicates that the 'qkradmin' user cannot run any db2 commands:
-bash: db2start: command not found
The only recourse is to install to a local /home directory until these duplicate RHEL bugs are fixed:
I will post more updates on resolving this issue as I get them
WebSphere Portal 6.1 and 7.0 out of the box utilize a file repository in a Virtual Member Manager (VMM) federated repositories. During installation of WebSphere Portal, a prompt is given to create a new username and password. The username and password are created in the file repository and utilized by WebSphere Portal during runtime, and during installation/configuration tasks. When the system is ready to be configured to an enterprise LDAP, with a standalone LDAP configuration, the file repository no longer is available and only a single LDAP is available for use. With a federated repositories configuration, a file repository and one or more LDAP may exist simultaneously. A decision should be made as to whether to keep the file repository, or, remove it. In general, the recommendation is to remove the file repository.
Why Keep the File Repository?
The most common reason to keep the file repository is to have a location other than the LDAP to store the administrative users. In the event of an LDAP outage, the file repository would still be available and allow login to the WebSphere Application Server and/or Portal server. For these scenarios, we instead strongly recommend customers setup a database user registry with their Portals. The database user registries do not have nearly the number of limitations as do the file repositories, allow for a more flexible configuration of the system, and do not have nearly the performance penalty as do file repositories. More information on database user registries are available here:
Why Remove the File Repository?
In general, WebSphere Portal recommends to remove the file repository in production systems:
"Note: It is not recommended to use the file-based repository in a production environment".
There are several limitations on the file repository which may limit functionality (and potentially performance) of the system.
- Limitation #1: Administrator groups are restricted to adding users from same repository
"Only the database entry mapping repositories support the creation of a group with members that exist in repositories outside the database repository. If you use a Lightweight Directory Access Protocol (LDAP) registry, you can assign a member to a group within that same LDAP registry. Similarly, if you use a file repository, you can assign a member to a group within that same file repository. "
End Result: You may not have an administrative user in the file repository which belongs to an administrators group in the LDAP, and vice-versa.
- Limitation #2: Client certificate login not supported with file repository
"Client certificate login is not supported in a realm that includes a single built-in, file-based repository or a single built-in, file-based repository with other repositories."
End Result: This is a rare, but valid security configuration not available with the file repository.
- Limitation #3: Cluster-only - changes to file repository must be manually replicated
"Changes to built-in, file-based repositories are not automatically replicated to managed nodes in a federated repositories configuration. You need to use the administrative console to replicate the changes you make to a built-in, file-based repository."
"If the WebSphere Application Server is installed in a clustered environment, then these files are distributed to all the cluster members based on the standard WebSphere Application Server configuration distribution mechanism. All the write functions occur only at the Network Deployment Manager (NDM) server, but the read functions are performed using the local file repositories."
End Result: You may not use "Edit my Profile" to modify users or their passwords in a File Repository. It must be done via the Deployment Manager console.
- Limitation #4: SPNEGO will not work with file-repository users
"The registry used by WebSphere is not the Active Directory domain LDAP, or Global Catalogue, but is some other virtual registry (for example, a file-based custom user registry)."
End Result: Administrative users in the file repository will not be able to use SPENGO if configured.
- Limitation #5: Tivoli Access Manager integration will not work with file repository users
"You can configure only one LDAP repository under federated repositories, and that LDAP repository configuration must match the LDAP server configuration under Tivoli Access Manager."
End Result: Administrative users in the file repository will need to access the Portal server, rather than through TAM. Note, the same is likely true for other External Security Managers (such as Siteminder), as those ESMs typically do not have access to the users in the file repository.
- Limitation #6: Application groups are not supported with file repository users
"Note: Application groups only apply to WebSphere Portal; it does not apply to external security managers. Also, application groups is not supported when using the default federated repository with a built-in file repository."
End Result: If an administrative user exists in the file repository, it is not supported to make that user a member of one or more application groups. This is a WebSphere Portal specific limitation.
- Limitation #7: Multiple Wildcards not supported with file repository users
"The VMM file-based repository does not support search queries with multiple wildcards"
End Result: If searching for users in the Portal with multiple wildcard, e.g. searching for John Doe via Jo* Do*, such searches will fail. Both the file repository and LDAP will be searched with this query, and the query will fail on the file repository, causing the entire search operation to fail and have no results return to the end user.
After creating or modifying a URL mapping in a virtual portal, users may no longer be able to access the virtual portal via browser, and administrators may no longer be able to successfully administer the virtual portal via XMLAccess. Such issue has been confirmed by IBM Support as a defect and reported via APAR PM47138. If you are using virtual portals in your environment, Support highly recommends installing cumulative fix (CF) 9 for WebSphere Portal 18.104.22.168
in order to prevent this problem scenario. For those users who already experience such an issue, there are two options for recovery:
1) Restore the Portal database from backup.
2) Open a PMR with IBM Support to request assistance in remapping the URL context to the virtual portal. Upon opening such PMR, the following database tables from database domain "release" should be provided for review by Support:
Note 1: The defect can manifest itself such that when you log into a virtual portal and navigate to the URL mapping portlet, you are unable to see the context root for your virtual portal. Thus, you are unable to create any URL mappings for the virtual portal via the UI since they need to be created as children of the context root. Any URL mappings you do try to create in this case get created as additional context roots and cause undesired results (e.g. redirecting to base portal) if you attempt to utilize them.
Note 2: A flash technote will be published today communicating this same information.
*** Location of Virtual Portal Scripts
When you create the virtual portal by using the Virtual Portal Manager portlet, the virtual portal is pre-filled with default content. This default content is determined by the default XML script file for initializing virtual portals.
In previous versions of Portal, the Virtual Portal (VP) initialization xml scripts are stored on the file system in the directory ...//wp_profile/installedApps/<node_name>/wps.ear/wps.war/virtualportal. In Portal 7, the VP initialization scripts are located in a WebSphere Application Server (WAS) asset named VirtualPortal.zip. To get to this file, access a WebSphere Application Server administrative console, select Applications -> Application Types -> Assets, and locate the file in the list.
This VirtualPortal.zip file is physically located in:<wp_profile>/config/cells/<cellname>/assets/VirtualPortal.zip/aver/BASE/bin (in a stand-alone Portal environment)
<DMGR_profile>config/calls/<DMGR_Cell_name>/assets/VirtualPortal.zip/aver/BASE/bin (in a clustered environment)
In a migrated Portal v7 environment, as part of the migration process the virtual portal scripts are removed from the .../wps.ear/wps.war/virtualportal directory and moved to a WAS asset zip file named MigratedVirtualPortal.zip and is located in the .../VirtualPortal.zip/aver/BASE/bin directory as mentioned above.
*** WebSphere security role required
As the VP initialization scripts are now located in a WAS asset, WAS security comes into consideration when Portal class is accessing WAS services. As a result, if the user who attempts to create or initialize the VP has no proper privileges on the WAS, the task cannot access the XML file used to initialize the virtual portal and it will fail with the exception "EJPAH2012E: Can not find xmlaccess script".
This issue was reported under APAR PM39581, and a fix was released as part of Cumulative Fix CF006 for Portal 22.214.171.124, but unfortunately the WAR is not redeployed in CF06, CF07, or CF08. The WAR is properly redeployed in CF09.
Therefore, in CF06, CF07, or CF08 to take advantage of this fix, customers should manually redeploy the WAR by copying PortalServer/ap/wp.ap.virtualportal/installableApps/ManageVirtualPortals.war to PortalServer/installableApps/ManageVirtualPortals.war and then running the ConfigEngine.sh/bat deploy-portlet-upgrade-wp.ap.virtualportal
If you can not upgrade Portal to the later CF that includes this fix, you can workaround this issue by logging in to the IBM® WebSphere® Integrated Solutions Console (ISC) admin console as the WAS administrative user and giving the user who is trying to create or initialize the virtual portal the "Monitor" role, which is the minimum requirement.
* Steps to add "Monitor" role for a user:
- Go to: Users and Groups >> Administrative user roles >> Add
- Highlight the "Monitor" role in the Role(s) box
- Search for the user and select the user from the search results
- Click the "Add" button
- Click "OK". Then save to the master configuration.
- Restart Portal
After these steps, user should be able to create virtual portals using the Virtual Portal Manager portlet and to initialize the virtual portal created previously that failed to initialize.
This situation is described in more details in IBM Technote # 1469910
*** Migrated VP scripts vs. Fresh Install VP scripts
Another issue that may occur in Portal v7 environment migrated from Portal v6.1 is caused by a missing Portal resource in Portal v7. The migrated VP initialization script may contain references to the "Manage Seed List" portlet, which has become obsolete in Portal v7 and will cause the script to fail with exception such as:
"EJPXA0025E: The resource was not found in the portal, either because it does not exist or because you have not specified an identifying attribute in the XML input. [portlet <portlet_objectID> name=Manage Seed List]"
The reason that these scripts are not updated during migration is that they are considered customer scripts. The scripts that ship with Portal just have the sample content and pages in them. So there is an assumption that the customer may have updated the scripts with their own pages and content; therefore, the migration process just moves these scripts untouched into the WAS asset VirtualPortal.zip in the target Portal v7 environment.
To avoid this issue,
* BEFORE MIGRATION: Remove those references to "Manage Seed List" in your VP xml scripts. For example, remove these lines:
<portlet action="locate" name="Manage Seed List" objectid="<Manage_Seed_List_objectID"></portlet>
<portletinstance action="update" domain="rel" objectid="portletinstance_objectID" portletref="<Manage_Seed_List_objectID>" shareref="5_CGAH47L008DE402BK8543I18D4"></portletinstance>
(The object ids, portletrefs, sharerefs, etc ... may vary in your installation.)
* AFTER MIGRATION: If you have already migrated, use the WAS admin console to export the VirtualPortal.zip asset, update the VP initialization script as above, then re-import the asset. Refer to the section "Asset Collection" of the Websphere Application Server v7 Information Center for details on how to update the asset.
New to Websphere Portal Performance? Need to better review and understand all aspects of a javacore? Want to have meaningful discussions with L2 support on performance issues based on javacore and data collected?
IBM Research has created a new tool to enable you to review , troubleshoot and analyze performance issues regardless of expertise.
IBM Whole-system Analysis of Idle Time (WAIT) is a lightweight and powerful tool that can be used in almost any Portal or other Java environment. The tool is graphical and can be used by anyone, newbies and experts alike. You can determine the source of performance issueS, easily review call stacks and determine who wrote any piece of code in a portal call stack(WebSphere , Portal , WCM other IBM product or other third party entities)
There is an upcoming demo and discussion of the WAIT tool for Websphere Portal Customers on November 10, 2011
See the following document for more information on the event .
Customer Open Mic: The WAIT tool - Portal Performance Diagnosis and Beyond http://www-01.ibm.com/support/docview.wss?uid=swg27023208
You can review the tool at the following locations
Sneak previews here: http://snappy.watson.ibm.com/wait
External Site http://wait.researchlabs.ibm.com
*** Login URL overview:
WebSphere Portal 6.0, 6.1 and 7.0 all offer the ability to login to the Portal using a specially crafted user of the following format:
For Websphere Portal 7.0.x, a full example of this URL in use would be:
This URL does not bypass normal authentication mechanisms. The username and password are passed along the PUMA, WAS, and VMM/WMM layers as would occur with a normal login via the login portlet. Once authentication completes, users will be redirected to the first page which they have authorization to access (for example, the Getting Started page in Portal 70x). The login URL offers a means of convenience for Portal administrators to bookmark their sites and automatically login each time. Other applications also make use of this URL; Rational Application Developer, for example, uses this same URL when invoking the Portal Admin Console. This login URL can also offer a potential means for Portal adminsitrators to access the Portal Admin console if unable to do so via normal means (i.e. the login portlet, theme, etc. are not functioning correctly). Namely, you can enter the following URL:
...which should in turn bring the Portal administrator to the Administration area without ever accessing the login portlet. There are many other uses of the login URL, and these example illustrate a few of the more common use cases.
*** Using the Login URL over the internet:
A STRONG warning should be given for the utilizing this URL over the internet. The existing URL by itself is unencrypted with the http protocol. Using software such as Fiddler (http://www.fiddler2.com/) or WireShark (http://www.wireshark.org/), it is trivial to sniff the unencrypted http URL and thereby obtain a valid username and password into the Portal system. Therefore, it is recommended to secure this URL if it will be sent over an unsecure network (such as the internet) prior to arriving at the Portal server.
Although there are means to force the WebSphere Portal login portlet to use a secureURL when authenticating users, that same option is not available for the login URL. The login URL can be encrypted with SSL security. However, if this is enabled, then the entire Portal site must also be enabled with SSL, which may not be desirable. If utilizing a web server to access the Portal, such as IBM HTTP Server, it may be possible to include a mod_rewrite rule to force this specific URL over SSL, while all other requests would be permitted over HTTP. However, note this should only be used as a failsafe. Meaning, if a user accesses the login URL over the internet, and accidentally sends the request over HTTP, then the username and password would already be sent in the clear prior to it ever reaching the web server and/or Portal server. The web server with the mod_rewrite rule could reject such requests over HTTP, but, the action would have already been committed and the username and password already potentially sniffed off the network. The web server can still act as a failsafe, but, the client-side must be updated to ensure the first request sent out is not sent out in the clear.
Therefore, if using the auto-login URL, on the client-side, whether it be via a web browser, a custom application, etc., be SURE to utilize the auto-login URL over SSL as a best practice.
We have seen a few cases when customers reported that Portal users could no longer create new pages all of a sudden. This used to work before and had recently stopped working. In the "Manage Pages" portlet, after the user clicks the button "New Page" to create a new page, instead of seeing the Page Properties being loaded, the user gets an exception:
"EJPAS0012E: The Properties page has been launched with no context information"
This issue is usually seen in environment where the "Page Properties" is using a custom theme, either via explicit theme assignment to the page or via inheritance.
The Portal logs do not record much detailed information about this exception. It's generally helpful to get a full export of the Portal configuration for review.
Administration portlets depend on services provided by the Portal theme. If those services are not available to the administrative portlets, exception EJPAS0012E will be thrown. The "Page Properties" page requires the use of the adminNavHelper JSP tag, which must be present in the Default.jsp. If the assigned custom theme is lacking this tag, this issue will occur.
For this scenario, there are two possible solutions for the problem:
+ Solution 1: Assigning the out-of-the-box "Portal" theme for the 'Page Properties" page so that the required services are available.
+ Solution 2: Modify the custom theme and add the <portal:adminNavHelper/> JSP tag to the Default.jsp.
This scenario and details about the solutions are described in IBM Technote # 1395801.
There is also a specific scenario when this issue may occur in older versions of Portal, even though the "Page Properties" page is using the out-of-the-box Portal theme, no custom theme involved. In this case, the issue occurs if there exists a friendly URL called "pageproperies" for the "Page Properties" page.
Support has tested and verified that this issue occurred in Portal 126.96.36.199 but is indirectly fixed in Portal 188.8.131.52 and later versions.
The solution in this scenario is removing the offending friendly URL using XMLAccess (because, due to this issue, the user is unable to launch the "Page Properies" page via the Portal Administration UI to delete the friendly URL).
A sample XMLAccess input script is something similar to:
<?xml version="1.0" encoding="UTF-8"?>
<!-- IBM WebSphere Portal/184.108.40.206 build wp6101_115_01 exported on Wed Oct 05 08:48:05 EDT 2011 from MyPortal6101/127.0.0.1 -->
<request xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" build="wp6101_115_01" type="update" version="220.127.116.11" xsi:noNamespaceSchemaLocation="PortalConfig_6.1.0.xsd">
<content-node action="locate" domain="rel" objectid="6_000000000000000000000000A0" uniquename="wps.content.root"/>
<content-node action="update" content-parentref="6_000000000000000000000000A0" create-type="explicit" domain="rel" objectid="6_CGAH47L008DF802B56IQ0D0G94" preserve-old-layout="true" type="page" uniquename="ibm.portal.Page Properties">
<parameter name="com.ibm.portal.IgnoreAccessControlInCaches" type="string" update="set"><![CDATA[false]]></parameter>
<parameter name="com.ibm.portal.ThemePolicy" type="string" update="set"><![CDATA[theme/SingleTopNav]]></parameter>
<parameter name="com.ibm.portal.bookmarkable" type="string" update="set"><![CDATA[No]]></parameter>
<parameter name="com.ibm.portal.friendly.name" type="string" update="remove"><![CDATA[pageproperties]]></parameter>
<parameter name="com.ibm.portal.remote-cache-expiry" type="string" update="set"><![CDATA]></parameter>
<parameter name="com.ibm.portal.remote-cache-scope" type="string" update="set"><![CDATA[NON-SHARED]]></parameter>
Here it is, the new white paper showing how to clone an installation of IBM WebSphere Portal version 7.0 that has been configured for specific deployment needs:
I have been testing the document myself and have come up with a number of observations:
1. The steps have been vastly simplified since the Portal 6.1.x instructions came out. Also there have been some improvements which allow for more flexibility if the new node is on the same LAN, unlike previous versions.
2. These steps are only usable if your OS to OS is comparable -- i.e. Windows 32-bit to Windows 32-bit, or RHEL 32 bit to RHEL 32 bit, etc.
3. Certain 64 bit OS versions will not support the GUI. My first attempt was with RHEL 64 bit in which the exceedingly more complicated ifcli.sh|bat must be run instead of the ifgui.sh|bat which is much simpler to use. At the very least I would suggest that one's initial test should be using the GUI version shown in the white paper.
4. I'm still playing around with but I have noticed that on certain target systems there have been some apparent port conflict problems. I'm still working on what may have caused this as it's not very clear how this occurred.
About two weeks ago, we published a tool that we use internally to troubleshoot failures with ConfigEngine scripts, and failures during WebSphere_Portal startup. The tool is called 'IBM Portal Log Analyzer' and can be found on the Lotus Greenhouse here:
The tool parses the ConfigTrace.log and the SystemOut.log for easier reading and allows you to quickly find failures so that you can begin troubleshooting.
Ideally you would use the tool for the following situations:
- Any ConfigEngine script fails (ConfigTrace.log)
- Fixpack or cumulative fix installation failure (ConfigTrace.log)
- WebSphere_Portal fails to initialize (SystemOut.log)
- WebSphere_Portal is open for e-business, but you cannot access it in a browser. (e.g. you see '404 one or more services failed to initialize'. This means the 'wps' application failed to start correctly.). (SystemOut.log)
- WebSphere_Portal is open for e-business, but one or more of your applications are unavailable. (SystemOut.log)
When a problem occurs the most important step in resolving the issue is providing IBM Portal L2 Support with a complete set of diagnostic data including traces and logs. The task of doing this manually involves enabling tracing, recreating the issue, manually packaging files, and uploading them to support. In the past we have recommended ISALite, which is a tool available for download, that automates the process of selecting a problem type, recreating the issue, collecting the needed logs and files, and uploading them to support. We are currently in the process of moving to a web based tool called IBM Support Assistant Data Collector (ISADC). When available, the ISADC will not require the end user to download and install a collection tool, however it will still provide the same benefits as ISALite. ISADC will have the following advantages over the existing ISALite tool...
- You will not have to download and install an application.
- Since ISADC is client-server based, you will always be using the latest scripts.
- When opening electronic problem tickets with IBM via SR you will be able to start a data collection and provide the initial logs and files to Portal L2 Support.
- When an automated data collection is provided at PMR creation the problem investigation and determination is expedited.
The ISADC for WebSphere Portal will be released as a Tech Preview very soon. More functionality will be released in the coming months. Stay tuned to the blog for additional details and watch for the ISADC link in the SR tool. We welcome any feedback or suggestions regarding ISADC or automated data collection in general.
Websphere Portal L2 support
Updates to the list I posted previously:
6. Enable Security Integration.
7. Make sure WAS APAR PM00610
8. If possible, disable Interoperability Mode.
9. Restrict access to clients maintained by your organization (i.e. patch browser & OS vulnerabilities).
10. Restrict access to networks maintained by your organization (e.g. consider especially security of DNS to the client).
In this second part we want to take a look at the section on "Architecting a Portal solution". There will be 7 questions on this area on the test.
Topics covered are
- Business catalog portlets
- Live text
- Integrating existing apps(Clipper/WAI)
- Unified Task List Portlet
So if you understand the basics of what is provided on the catalog you should be good. By this I mean that IBM and other providers include portlets on the catalog and these portlets are available as . OneUI is a concept that helps to generate a similar look and feel across all of the Lotus products. You can find more information hereOneUI
Find more about the Unified Task list please click here Unified Task List
Please be aware that when the test was created it was in reference to version 3.0 of the portal, and version 4.0 is now out.
Live Text is used mostly for click to action. You can find more information here
. You should read through this section of the infocenter and understand how it works to create source and targets for c2a. Do not spend to much time on this as it is a small part of the exam.
Next time we will deal with a bigger area of the test, portlet development.
WebSphere Portal relies on setting certain cookies to enforce its security controls. As an administrator, you should carefully consider how to protect these cookies in your environment. Unauthorized parties could circumvent WebSphere Portal's security controls given access to:
LTPAToken2 (and LTPAToken, if Interoperability Mode is enabled): Lightweight Third-Party Authentication: WebSphere Application Server relies on this cookie for Single Sign-On. WebSphere Application Server considers a client to be authenticated if it presents a valid LTPAToken2.
JSESSIONID: from the Java Servlet specification: WebSphere Portal's session management uses this cookie.
1. To guard against network eavesdropping, enable SSL for all communications between the browser and the web server. Without an HTTPS pipe, you are relying on the security of the network (which could be a valid option in intranet or VPN environments). If you cannot guarantee network security, it is essential that these cookies be transmitted only within an HTTPS pipe.
2. Define these cookies' domains as narrowly as possible. If a cookie's domain is left unset, the browser should present it to only the server that set the cookie.
3. In conjunction with (1) and (2), consider setting the secure attribute on these cookies. For example, a browser accesses https://portal1.ibm.com/wps/myportal, authenticates, and LTPAToken2 is set with domain=ibm.com. When the browser later requests http://server2.ibm.com, it presents LTPAToken2 over HTTP because of the domain. Setting the secure attribute tells the browser to present the cookie only over HTTPS, regardless of domain.
4. Set HTTPOnly to guard against cross-site scripting (XSS). When HTTPOnly is set for a cookie, the browser should not allow scripts to access the cookie. Of these several recommendations, this is the most highly reliant upon browser implementation. HTTPOnly is a useful tool, but application developers should be vigilant in guarding against XSS regardless of HTTPOnly.
5. Consider your securtiy requirements when configuring LTPA token expiration and session timeouts. Expiration is actually encoded into an LTPA token's value. Simply restricting access to the server long enough for all issued LTPA tokens to expire would mitigate a known breach.
Note: If WebSphere Portal is integrated with an external security manager (ESM) in your environment, you might also need to consider the ESM's cookies. For example, given a valid ESM cookie, a trust association interceptor could instruct WebSphere Application Server to issue a new LTPAToken2.
For more information on these and other WebSphere Portal security topics, refer to:http://www-10.lotus.com/ldd/portalwiki.nsf/dx/Web_security_concepts_and_considerations_for_IBM_WebSphere_Portal_administrators
Many folks are getting started looking at getting certified for WebSphere Portal v7.0. In this first part we will take a look at the test, its makeup, information on it and how to prepare.
First thing to know is that this test is more difficult than the previous versions of the tests. The questions are much more specific and will cover a wider array of topics given all the new v7 functionality.
Taking a look at the test there will be 60 questions, in which you have 75 minutes to answer them. You must get 67% right to pass the certification. Those questions will be compromised of the following areas.
|Architecting a Portal solution
|Installation, Setup, and Configuration
|Additional Development Concepts
|Portal Frameworks & Portlet Services
|Testing, Debugging, Performance Monitoring
There will also be 2 unscored questions.
From the chart above we can see that the test is broken up into 7 core areas with some areas getting more focus that others. For this test you will want to understand the themes and skins of Portal 7.0, the APIs for both portlet specs, as well as the additional portlet services and frameworks that are provided. This covers a very broad range of topics so plan to spend a significant amount of time on each of the major sections.
To start off with your main areas of study will be the following:
Most of the questions will be from these three documents, after careful study you will most likely remember the items that you had read while studying, but be careful to read the whole question as often a key word is changed to make the test challenging.
You can find more about the test here
. There you can find links to additional test information as well as link to a sample test. It would be a good idea to go through the sample test at least once to get yourself prepared for the test.
In future installments we will delve into the specific sections with more study pointers on each section.
Creating a new theme in WebDAV:
Portal v7, themes are broken apart into static template files and
dynamic files. The static template files are stored in WebDAV and use
dynamic content spots to reference JSPs or other dynamic resources.
The dynamic resources are stored in a WAR file. WebDAV directories
include files for the following theme functionality: theme, skin and
steps will create a new theme in portal using WebDAV.
- Using a WebDAV client Connect to http://<server>:10039/wps/mycontenthandler/dav/themelist/
- Copy the csa2.theme to your
- Rename the csa2.theme
folder on your local system to sample.theme
- Update the
metadata\localized_en.properties to reflect the new title. You would
need to modify each localized properties file for each languange.
Modify the theme_en.html file so that you can verify the correct
theme is applied. This file is found in the nls directory
<body class="lotusui tundra locale_en"
- Copy the sample.theme
folder to the themelist entry point using the web dav client.
- In portal create a new page
named Sample Theme and apply the Sample Theme theme using the admin
portlet, best practice is to create the page using the edit mode of
the theme, however creating it through the admin portlet will reveal
some differences in page types in 7.0, and a common customer
Render the page and verify that your theme_en.html is being
rendered. You should see the text ?Sample Theme? rendered on the
Modify your theme_en.html to the following:
class="lotusui tundra locale_en" >
Sample Theme Modified<br>
Copy the modified theme_en.html back to the server using the
themelist entry point
Do you see the update?
By default the WebDAV files are cached for 24 hours. You will need
to change the cache values during theme development in order to see
the changes immediately.
Open the WSAS admin console and go to the WP_ConfigService
Resource Evironment Provider (REP) Resources ->Resource
Environment ? Resource Environment providers
In the custom
properties you will see several entries like the following:
Please see the following section in the infoCenter for more
details about this caching:
Change all of the following entries to a value of 1 and
restart the server. This will reduce the caching for the WebDAV
files to 1 second.
Render the page again and you should see the modified output
from the theme_en.html
note: best practice is to use the fs-type1 entry point for
modifying the files and not the themelist entry point. The themelist
entry point is an admin entry point and is used for altering theme
metadata including the titles. Please note the cache above will only
effect the themelist entry point not the fs-type1. As an additional
exercise reset the caching to default values, restart the server, and
then make a change via the fs-type1 entry point and see that your
changes are immediately visible.
Now that the new theme is created
lets take a few minutes to understand what happened by generating a
complete xmlAccess export of the server using the following technote:
Note that you will be using this XMLAccess export in a future
You should now see a theme defined
like the following (the objectid may be different):
<theme action="update" active="false"
The newly created sample theme is using the PageBuilder2 war file.
This can be seen from the context-root and resourceroot attributes.
There are also several parameters defined for the theme. If present,
parameter is used as the display name for the theme in the themelist
webDAV entry point. This should be a unique value in the system but
this is not enforced. If the ?com.ibm.portal.friendly.name?
parameter is not
available then the uniquename of the theme is used as the display
name. If neither the ?com.ibm.portal.friendly.name
? or the uniquename are
defined for the theme then the theme's OID will be used as the
The themelist webdav entry point mirrors the fs-type1 entry point.
Since the themelist uses the ?com.ibm.portal.friendly.name
as the display name it has to be unique. If there are two themes that
have the same value, only one will be displayed.
When our sample theme is rendered the default.jsp of the PageBuilder2
WAR is the main entry point. The default.jsp will then call the
correct theme.html file to execute. It determines the correct path by
using the com.ibm.portal.theme.template.ref parameter.
Creating a new theme WAR file
The theme WAR file will contain the
dynamic resources. As stated in the previous section the default.jsp
PageBuilder2 theme is used when our
sample theme renders. If you want to modify the default.jsp or any of
the dynamic resources you should create a new WAR to contain them.
- Copy the following WAR into
a temporary working directory:
- In Rational Application
Developer (RAD) or Eclipse, create a new Dynamic Web Application
titled PageBuilder2 theme from the temporary working directory you
created above for the new WAR.
I created a new project then pasted the contents of the war
directory into the web content directory
Open up the web.xml and change the display name to ?SampleTheme?
Under the themes\html directory your will see a folder named
PageBuilder2. Rename this directory to SampleTheme. This directory
name will be used as the resourceroot in a later step so if you name
it something different you will need to update the resourceroot
We will also add some content to the Default.jsp so that we can
verify the correct theme is being picked up.
default.jsp and add the following code right after the include to
the bootstrap.jspf:(this default.jsp will be in the root html
directory not in the theme directory
Export the WAR from RAD
Import the WAR into the WSAS admin console.
the theme use ?/sampletheme? as the context root for the theme. This
will be used in a later step for the ?context-root? in the xmlAccess
file. If you name this differently you will also have to change the
context-root value in later steps.
Start the application in the WSAS admin console
- We will use the xmlAccess
export from a previous step to change the context-root and
resourceroot of the sample theme to point to the newly created WAR
Note: Please refer back to step 4 and step 7 if the values for
context-root and resourceroot are not clear.
<theme action="update" active="false"
Note: You will need to use the information from your export
since the OIDs will be different. You cannot use the xml above.
Import the modified xml file using xmlAccess. You can do this by
simply navigating to the Portal Administration Console and choosing
the import XML option and then pointing to the updated xml file for
Now render the page again and you should the following:
Now modify the bannerNav.jsp
to add some additional markup.
Sample Theme bannerNav.jsp<br
Renders the links in the banner (Home, Admin,
etc.) server side --%>
Rebuild the WAR and then update it in the WSAS admin console.
Refresh the page, do you see
the updated markup you added in the bannerNav.jsp?
see your changes in the
The default.jsp of the Sample
Theme is used when rendering the page with the theme applied. However
as stated previously the default.jsp will call the static theme
template that is defined in the themes metadata. For the sample theme
uses the following:
If you inspect the
theme_en.html file you see the following dynamic-content-spot that is
used to render the bannerNav.
<!-- responsible for the top most navigation links
(horizontal list) -->
<a rel="dynamic-content" href="dyn-cs:id:bannerNav@tl:oid:csa2.theme"></a>
This markup will inform the
static page parser in WebSphere Portal to look for
dynamic-content-spot with an id of bannerNav. You will also notice that the href
This instructs the static page
parser to look in the theme with a uniquename of csa2.theme for any
All this means is that your
theme is still using the bannerNav.jsp from the PageBuilder2 WAR file
and not from your custom SampleTheme WAR.
If you want it to your content spots
to pull from your custom war you would need to change them to
reference your custom war.
You have three options:
Please see the following section of
the InfoCenter for more details
- Defining a custom content
spot via the resource environment provider
- adding an override to the
- changing the href to be a
I would like to take a high level overview of the various programming entry points that WebSphere Portal provides to allow you access into the internals of the Portal to both make changes as well as request information about various aspects of the Portal.
The first thing to understand is that you will almost always have to get a home object which represents the starting point for interactions in that package. Such that if you wanted information on access control you would use a JNDI lookup to retrieve AccessControlHome, or for PumaHome if you want to get information on the Portal User interface. Once you have the Home you will need to get either the Model or the Provider object depending on the needs of the code. Next we will look at the most common packages and their uses.
This package will contain information regarding access control information on various resources. You can check the ACL data on any item that supports the Identifiable interface(which is most everything in portal). So this would include Pages, Portlets, Containers, whatever you might have. you can pass in and either get the entire role data set or check to see if certain users have a specific permission, or if the current user has a specific permission. You could use this to customize visible data in your portlets, and on your pages depending on what was needed for the environment.
This next package is useful for customizing the Portal login/logout mechanism. These will only be triggered when you try to access a Portal protected resources. This replaces the customization that used to be made in the LoginUserAuth classes by now adding them to the Portal login filter chain. One thing to be aware of is the difference between implicit and explicit login/logout. The Implicit login is where a user us already authenticated to WebSphere AppServer but then attempts to reach a portal resource. They will then go through the Portal implicit login chain.
This package has many providers that will see some of the most use out of the other ones. With this package you can retrieve a list of languages the Portal supports, the markup that the Portal supports, information about the navigation, content, navigation selection, portlets, themes, skins and helpers to localize resources when presenting them to users. All of these models will be read only while the subpackage com.ibm.portal.model.controller will give you write access to all of these. All of these will be scoped to the user making the request. With the controller package you can create pages, add portlets to the page and remove them, set skins on the page, alter properties about all of these including ordinality. A developerworks article is in the plan for this from support to show examples of the most common questions using the controller SPI
The providers in this package will allow you to traverse the tree for navigation of the current user. they can be useful in creating breadcrumbs and creating your own custom navigation portlets. These along with the com.ibm.portal.state package can be used to create links to do a grand variety of actions within portal. Please see Advanced URL helpers for a detailed sample on using the state package to create links to various Portal resources.
com.ibm.portal.portlet and com.ibm.portal.portletmodel
These two packages provide a lot of information concerning the various layers of portlets they can be used to make changes to the portlet configuration and also can retrieve preferences layers for review.
Also known as PUMA this is the usermanagment part of the SPI, with it you can do user management, and queries. For more on PUMA please see PUMA whitepaper
This covers the majority of the SPIs that customers use, and can do 90% of what you need to do in your custom Portal environment for management and administration.
First entry in the blog for level 2 support. Several of us here in Portal Level 2 support had the idea to create a blog to help foster communication with the community. We also plan to include helpful articles as often as possible covering as many topics as we can. We will start of in the development realm with taking a look at the controller spi and studying for the 7.0 developer exam. If you have any topics you would like to see us cover in the coming months please let us know.